Last week, journalist Dmitry Smilyanets published an article on The Record detailing his interview with cyber criminal Mikhail Matveev, who has gone by various monikers (Babuk, BorisElcin, Wazawaka, unc1756 and Orange).
Mikhail is provides some very open and interesting insights in to the cyber criminal world, dispelling some myths and discussing the ways he and other criminal gang operate and how they gain initial access.
While the media likes to portray cyber criminal orgasations similar to mafia style underworld corporations, Mikhail states that threat actor generally work alone and instead collaborate occassionally. Cyber criminals will also ‘bump in to each other’ on victim networks with the different groups either coming to an agreement or others simply ‘double encrypting’ a targets files so that no-one can decrypt them.
Mikhail also confirms what most security consultants have been saying for years: that most attacks are not from some sophisticated drawn out campaign but rather exploitation of poor housekeeping, poor security practices and a lack of layered defence.
When discussing attacks, he confirmed that initial footholds are gained through widely published exploits that haven’t been patched such as those in firewalls or RDP servers. Once in a network, attackers will look for existing dormant accounts with high privilges to aid in the attack.
He also said that even large corporate networks such as Capcom are often not well-segregated but rather just one large flat network which – once compromised – provided access to everything.
Summary
The interview with Mikhail – while providing a very interesting viewpoint – simply confirms what security consultants already know: the Pareto principle applies to security, meaning that 80% of the protection can be achieved from 20% of the effort by getting the small stuff right. Regular patching and review of endpoints, user accounts and creating a layered approach to security so that compromising the perimeter doesn’t provided unfettered access to everything.